Solved

Secure & best practice of file & folder sharing between laptops & PCs

Posted on 2016-07-18
7
83 Views
Last Modified: 2016-07-26
I'm drafting something for IT guys if they want to share their files/info within the team
& we don't have SharePoint currently.

For sure, passwords & sensitive info like payslips must not be shared this way.

Besides sharing out explicitly using NTFS permissioning (I think this is equivalent of
using icacls), what other measures should we undertake?

a) is a network share  (ie Windows  'net share sharename=c:\myfolder' ) encrypted?
b) how can we prevent domain admins from accessing the information/file/folder?
c) should we set up firewall rules to permit only ppl within same team (say
    netadmins) to access the share?  But we have an issue in that some of the
    PCs are on DHCP (ie non static IP)
d) any other measures?
0
Comment
Question by:sunhux
  • 3
  • 2
  • 2
7 Comments
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 41718169
Disk level Encryption will not work as the share will be un-encrypted over the share.
use groups for share permissions and get granular with ntfs permissions
domain admins are by definition local admins so even a deny for domainadmins group can be overridden easily.
c cannot be done easily.

you could use winzip / winrar /7zip to encrypt the files and only the users that should have permissions have the password
0
 

Author Comment

by:sunhux
ID: 41719019
is it a good practice to use Windows Firewall to permit PCs of specific IP range to access
as in our case, our IT dept uses a specific range of DHCP IP while users of each dept
uses different range.

What's the Tcp & Udp ports used by Windows "net share " & can we customize these
ports to use some other ports (just like some Ssh server, Ftp server can be made to
listen on different ports).

So when data is copied over from a Windows Network share, it's not encrypted?
0
 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41719181
Even the NTFS permission is a huge chunk to ensure not only access right but be role based (security group like Department or Job) specific to determine who can (identity assigned) and to what resource (file & folder) with what permission given (right mgmt. if poss otherwise ACL using least privileged to do the job)- you can catch it here https://technet.microsoft.com/en-us/library/cc780313(v=ws.10).aspx

one problem faced with file shares which is not about ACL or having right mgmt. enforced in document but it is the manageability of "Folder Spread" - multiple folder and file created at root folder overloads not only the system resource of indexing but also hard to track security activities
and in fact make it easier for Ransomware to spread to all folder and files from the root by enumerating for each file server instance. We need to limit exposure assuming the event infection or malware start to propagate and jump from server to server to spread infection. So practice is for
- root folder (administrator, read only root-level folder)
-- "horizontal" folder mgmt  with logical restricted no of child folder (limit to max 10 folders and each is based on unique department purpose)
-- "vertical" folder/file mgmt. to limit to the file path not to be more than the 255 char naming length (do not advocate too deep of folder as data can be lost easily when it is missed out for backup of targeted backup of certain data type, it reduce the file I/O access too)

Consider
- Have an overall access matrix to chart the security assignment to the file shares (as the resource)
- Be able to mapped to the central security group and user assigned as well as the file share in the authorized system.
- Have audit trails for access enabled
- Separate critical or time sensitive folder out into other server or mapped into other drive.
- Differentiate between classified and non-classified information and further restrict access to public access (enterprise level) and private (dept, team, user level)
- Set permission once the folder access level is determine to separate read-only and working (writable)within the mapped shares
- Avoid over segregation of folder such as "folder spread" and minimize the depth of folder with limited path name (use easily interpreted naming to determine its purpose)

I heard of the use of decoy folder purpose to make the Ransomware work hard such that it keep enumerating into the sub-folder - in a sense lost in the maze - such that alert of such anomalous access can be trigger centrally for quick response...
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:sunhux
ID: 41719634
> - Have audit trails for access enabled
Could point me to a link which give instructions on enabling audit trail/logging if a shared
folder or file(s) are being accessed (copied, read, edited & deleted)?

> classified and non-classified information
So admin passwords (of servers, domain admin, firewalls etc) should not be shared, while network diagrams,
IP address list is classified while documents meant for corporate-wide viewing (say Security Policy) is non-
classified?

> use of decoy folder purpose to make the Ransomware work hard
We have quite a number of ransomware attacks, so will be nice to elaborate this
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41720086
A PDF guide that provides step-wise instructions to enable auditing on file server and track every changes into real time - http://www.lepide.com/guide/enable-file-folder-access-auditing.pdf

Classification is based on context and owner discretion to the level of protection. There should be level of classification amd guidance on classifying information and not a wild guess. Thise ip address and network diagram are unique to your enterpriae and should be treated with strict confidence esp when it is wide enterprise used. Everyone in enterprise access does not means it is non classified. They are different matter in fact it is even more pertinent to emphasis to treat these corporate info as privileged info.

A good read on tje anti Ransomware strategy include decoy files and recursive folder
Another way of impeding ransomware was proposed on the Free Forensics blog. This method involves setting up infinitely-recursive directories by taking advantage of certain features of the Windows file system. Ransomware that attempts to traverse the file system to locate the files it needs to encrypt will get stuck in such a sinkhole, giving the victim the opportunity to react to the infection.
https://zeltser.com/detect-impede-ransomware/
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 41726171
So when data is copied over from a Windows Network share, it's not encrypted? It can be if using SMB 3.0. The default is not encrypted since it has considerable overhead
https://technet.microsoft.com/en-us/library/dn551363(v=ws.11).aspx

The ports are fixed (port 445) and defined by IANA
0
 
LVL 61

Expert Comment

by:btan
ID: 41726185
To add on classification for enterprise wide info, they can be only for internal reading and not public access so rightfully, it should be classified as Restricted minimally. Security policy is classified as Restricted in that sense. If there is need to share classified info, the advice is to declassified and sanitised before sharing with external parties esp the contractor. Otherwise, strict handlibg must be authorised and oversee by the enterprise staff.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
In this article, I will show you HOW TO: Install VMware Tools for Windows on a VMware Windows virtual machine on a VMware vSphere Hypervisor 6.5 (ESXi 6.5) Host Server, using the VMware Host Client. The virtual machine has Windows Server 2016 instal…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now